b'          Review of Mainframe Access Controls at the Application Level\n          Federal Financial System, Report No. 04-07, September 7, 2004\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\neffectiveness of access controls in ensuring security over the Federal Financial System\n(FFS), a component of the Railroad Retirement Board\xe2\x80\x99s (RRB) financial management\napplication system.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out nearly $9 billion in benefits during fiscal\nyear (FY) 2003.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local (LAN) and wide area networks.\nThe major application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration.\n\nThe agency\xe2\x80\x99s Chief Information Officer, also the director of the RRB\xe2\x80\x99s Bureau of\nInformation Services, has overall responsibility for administration of both data\nprocessing and end-user computing as well as in-house systems development. Within\nthe Bureau of Information Services, the Chief Security Officer has primary responsibility\nfor coordinating, evaluating and reporting on information security within the agency.\n\nFFS is a mainframe application that supports financial management and reporting\nincluding control of the agency\xe2\x80\x99s budget, procurement and preparation of the interim\nand annual financial reports. Access to the mainframe environment is password\nprotected. FFS includes an additional system of security functions that controls user\naccesses, document approval processing procedures and logging features.\n\nThe Bureau of Fiscal Operations is the owner-of-record for FFS and has responsibility\nfor system administration. The system administrator maintains the security settings\nwithin FFS, including the access privileges of new and existing users. FFS is used\nextensively throughout the agency. In December 2003, approximately 500 of the\nagency\xe2\x80\x99s 1,128 employees had access to FFS.\n\n\n\n                                            1\n\n\x0cInformation security is defined as protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide integrity, confidentiality and availability. Access controls limit or detect access\nto computer resources (data, programs, equipment, and facilities), thereby protecting\nthese resources against unauthorized modification, loss, and disclosure. Previous OIG\nsecurity evaluations cited the agency for a material weakness due to significant\ndeficiencies in access controls in both the mainframe and end-user computing\nenvironments and in the training provided to staff with significant security\nresponsibilities.\n\nThe Office of Management and Budget (OMB) has published guidance to assist Federal\nmanagers in meeting the management control and computer security requirements of\nthe Computer Security Act of 1987, the Chief Financial Officers Act of 1990, and the\nClinger-Cohen Act of 1996. OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d Appendix III, dated November 30, 2000, establishes policy for the\nmanagement of Federal information resources and establishes a minimum set of\ncontrols to be included in Federal automated information security programs.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-\n347), Title III, the Federal Information Security Management Act of 2002 (FISMA), which\nrequires annual Inspector General security evaluations.\n\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to assess the effectiveness of access controls in\nlimiting and detecting access to the FFS system.\n\nIn order to accomplish our objective, we:\n\n   \xe2\x80\xa2\t identified users of FFS as of December 2003 and documented their system\n      privileges;\n   \xe2\x80\xa2   obtained an understanding of the security configuration of the FFS system;\n   \xe2\x80\xa2\t obtained an understanding of the policies and procedure through which system\n      access is requested, authorized, granted and maintained;\n   \xe2\x80\xa2\t obtained an understanding of the access re-authorization process through\n      discussions with responsible management and staff, and reviews of supporting\n      documentation as available; and\n   \xe2\x80\xa2\t used statistical sampling to assess the effectiveness of controls in limiting access\n      to FFS.\n\nOur sampling methodology and results are presented in Appendix I to this report.\n\n\n\n\n                                             2\n\n\x0cOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois during December 2003 through May 2004.\n\n\n                                RESULTS OF REVIEW \n\n\nOur audit tests disclosed that existing controls are not adequate to ensure that FFS\nusers are limited to only those system privileges required for the performance of their\ncurrent jobs. In addition, we observed that FFS features designed to ensure\naccountability for changes to certain security settings have not been implemented. We\nalso questioned the level of assurance provided by current document approval settings.\n\nThe details of our findings and recommendations follow. Management has agreed to\ntake the recommended corrective action. The full text of the responses of the Bureaus\nof Information Services and Fiscal Operations are included in this report as appendices\nII and III respectively.\n\n\nControls Are Not Effective in Limiting Access\n\nThe RRB\xe2\x80\x99s existing control framework is not adequate to ensure that the access\nprivileges granted to users of the FFS are limited to those required for their performance\nof their current job. Our conclusion is based on the results of a statistical sample that\nindicate the agency has not ensured that the privileges of at least 95% of FFS users\nhave been appropriately restricted.\n\nOMB Circular A-130 requires Federal agencies to limit a user\xe2\x80\x99s access (to data files,\nprocessing capability, or peripherals) or type of access (read, execute, delete) to the\nminimum necessary to perform his or her job. Current RRB policy calls for periodic\nsystem re-authorization reviews, an internal control process designed to identify\nchanges in user needs. During the re-authorization, supervisors have the opportunity to\nreview the current access privileges of their staff and identify any needed changes or\ncorrections.\n\nThe Bureau of Fiscal Operations, the system owner, is responsible for ensuring that re-\nauthorization reviews are scheduled and completed. The Bureau of Fiscal Operations\nhas not performed a re-authorization review for nearly five years. The last re-\nauthorization of the FFS system was conducted in 1999. A review scheduled for FY\n2003 was not performed and had not been re-scheduled as of the end of our fieldwork.\n\nIn addition to the lack of an effective re-authorization process, we also noted that\nhigher-level executives are often granted system privileges for document entry and\napproval although these tasks are typically performed by subordinate staff members.\n\n\n\n\n                                            3\n\n\x0cDuring the period of our review, the agency\xe2\x80\x99s Chief Security Officer, organizationally\nwithin the Bureau of Information Services Risk Management Group, had not assumed\nany direct oversight responsibility for this process. The lack of effective procedures and\ncontrols to ensure that FFS user accesses are limited to the requirements of their\ncurrent job weakens the overall structure of information security.\n\nRecommendations\n\nWe recommend that:\n\n   1. \t The Bureau of Information Services implement a quality assurance program to\n        ensure the effectiveness of the re-authorization process for FFS. Such a process\n        should include:\n\n       \xe2\x80\xa2   a review for completeness of documentation;\n       \xe2\x80\xa2   periodic testing to verify the effectiveness of the process; and\n       \xe2\x80\xa2\t issuance of an annual report communicating to the Chief Information Officer\n          the results of the annual re-authorization process including an objective\n          assessment of its overall effectiveness.\n\n   2. \t The Bureau of Fiscal Operations, as the system owner, coordinate a review of\n        pre-defined security profiles to ensure that they properly reflect current job\n        requirements.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation for\nimplementation of a quality assurance program and state that they have already\nsubmitted a personnel request to assign staff; however, due to limited resources, the\nimplementation of the program will be a multi-phased approach.\n\nThe Bureau of Fiscal Operations agrees that predefined security profiles for FFS users\nshould reflect their current job requirements and will conduct a review of FFS security\nprofiles.\n\n\nAccountability for Changes to Core Security Controls Not Ensured\n\nExisting controls do not provide adequate accountability for changes to FFS\xe2\x80\x99 core\nsecurity tables. As a result, the system audit trail is not adequate to identify the sources\nof changes to security settings.\n\nOMB Circular A-130 requires Federal information systems provide accountability.\nAccountability is defined as the existence of a record that permits the identification of an\nindividual who performed some specific activity so that responsibility for that activity can\n\n\n\n                                             4\n\n\x0cbe established. We would have expected to see an audit trail, in the form of transaction\nlogs, for changes to all core security tables to ensure accountability as well as\nseparation of duties between those system users who initiate/approve changes and the\nagency personnel who review the logs.\n\nFFS has the capability to provide accountability through the creation of logs that capture\ndate, time and initiator of changes to security tables. However, this feature has not\nbeen implemented for the tables that comprise FFS\xe2\x80\x99 core system security.\n\nOnly FFS system administrators can initiate changes to system security settings. The\nsystem administrators determine which changes will be logged. The need for logging\nchanges to core security tables was overlooked because of the small number of\nindividuals within the agency who can make such changes and the strong trust\nrelationship among them.\n\nRecommendation\n\nWe recommend that:\n\n   3. \t the Chief Security Officer work with the system administrator to determine which\n        security-related transactions should be logged, and identify the appropriate level\n        of management to receive and review the logs.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and has agreed\nthat the Chief Security Officer will work with the FFS system administrator to determine\nwhich security-related transactions should be logged and the appropriate level of\nmanagement to receive and review them.\n\n\nImplementation of Document Approvals\n\nThe document approval functions of FFS have been implemented in a manner that\nimplies a higher level of assurance about separation of duties than is actually achieved.\n\nTransaction processing typically requires at least one level of approval; however, the\nsystem has been configured so that:\n\n    \xe2\x80\xa2\t transactions requiring only one level of approval can be authorized by the same\n       person who enters the transaction, and\n    \xe2\x80\xa2\t transactions requiring multiple levels of approval can be fully authorized by a\n       single individual.\n\n\n\n\n                                            5\n\n\x0cTransactions, such as document approvals, should be executed in accordance with\nmanagement\xe2\x80\x99s directives.1 The security settings for individual transactions within FFS\nimply a high level of control through strict separation of duties which, in reality, has not\nbeen achieved. As a result, we question whether the current combination of system\nsettings achieves management\xe2\x80\x99s intentions with respect to separation of duties and the\nauthorization of transactions.\n\nRecommendation\n\nWe recommend that:\n\n    4. \t the Bureau of Fiscal Operations coordinate a review of the core security settings\n         to ensure that the configuration of document approvals and award of approval\n         privileges has properly implemented management\xe2\x80\x99s intentions with respect to\n         transaction processing.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations agrees with the recommendation and will conduct a\nreview of the core security settings.\n\n\n\n\n1\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d General Accounting Office, November\n1999, GAO/AIMD-00-21.3.1\n\n\n\n\n                                                 6\n\n\x0c                                                                               Appendix I\n                         Sampling Methodology and Results\n\nWe used statistical sampling to assess the effectiveness of controls designed to limit\nFFS user access to those privileges required in performance of their assigned duties.\n\nAudit Objective\n\nThe objective of our test was to determine whether the agency has been effective in\nrestricting the privileges of users of FFS to only those required for performance of their\ncurrent job.\n\nScope\n\nWe selected the sample from the population of 527 FFS users as of December 2003.\n\nReview Methodology\n\nWe used statistical acceptance sampling using a 95% confidence and 5% tolerable\nerror which directed a 142 case sample. The threshold for acceptance was three\nexceptions. Three exceptions would permit the auditors to infer, with 95% confidence,\nthat controls were adequate to ensure that no fewer than 95% of FFS users had only\nthe access privileges required for their current job.\n\nAny user who had privileges that exceeded the requirements of their current position\nwas counted as an exception.\n\nResults of Review\n\nOur evaluation of 142 randomly selected FFS user access profiles identified eight users\nwhose access profile included privileges that were not required to perform current job\nresponsibilities. We identified:\n\n   \xe2\x80\xa2\t five executives who had been given and maintained access to process\n      procurement-related transactions that they did not use because those\n      responsibilities had been delegated to subordinates;\n   \xe2\x80\xa2\t two employees who had retained privileges required for a previous position but\n      not required by their current job; and\n   \xe2\x80\xa2\t one employee who had been granted privileges inconsistent with current or past\n      job responsibilities.\n\nAudit Conclusion\n\nThe eight exceptions exceed the sample acceptance threshold. As a result, we cannot\nconclude that controls are adequate to ensure that at least 95% of FFS users had only\nthe access privileges required for performance of their current job.\n\n\n\n\n                                             7\n\n\x0c\x0c\x0c\x0c'